09-17-2007 06:05 AM - edited 03-18-2019 07:50 PM
We have a helpdesk and we would like to delegate to them the ability to change Unity subscriber information and passwords without sharing the administrator level passwords. I don't see where this is possible from within the Unity Admin pages. Does anyone have an idea of how this can be done? We are using Unity 4(2).1
09-17-2007 06:28 AM
Hi Abraham,
This is possible via the Subscriber COS.Have a look;
For Unity 4.0.5 and later
Class of Service System Access Settings
Class of service system access settings specify which tasks, if any, subscribers including other system administrators can do in the Cisco Unity Administrator. You can customize access to Cisco Unity in several ways. For example, you can deny access to the Cisco Unity Administrator, or deny access to specific pages in the Cisco Unity Administrator, such as COS, subscriber, or distribution list pages.
When you deny access to specific pages in the Cisco Unity Administrator, the links for these pages are disabled for the subscriber. Alternatively, you can specify read, edit, add, or delete privileges for these pages, or can allow subscribers access to subscriber pages only for the purpose of unlocking subscriber accounts or changing subscriber passwords.
Before modifying system access settings for a COS, consider the best practices outlined in the Cisco Unity Security Guide. Refer to the "Best Practices for Modifying and Assigning Classes of Service" section in the "Accounts and Permissions" chapter. The guide is available at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/unity40/usg/ex/index.htm.
From this good Unity doc;
Hope this helps!
Rob
09-17-2007 02:19 PM
Hi Abraham -
In addition to Rob's excellent post, I have some additional information in case you have multiple Unity servers which need to be handled by your Help Desk. The COS will only work for the Unity server in which your Help Desk are subscribers. If your Help Desk need to administer passwords, for example, on other Unity servers, here is how to do this:
- On each Unity server, create a new subscriber. You can standardize on a name like HelpDesk_unityservername. Use a dummy extension, which you can get from your CallManager's dial plan.
- Put this userid into the COS that has only the SA access required, i.e. authorized to reset subscriber passwords.
- Using the grantunityaccess utility in Unity Tools Depot, associate each Help Desk user's domain account (domain\userid) with this HelpDesk_unityservername userid.
- Repeat this step for each Unity server you have in your environment.
Regards, Ginger
P.S. Kudos and 5-points to Rob for the great response :-)
09-18-2007 04:28 AM
Thanks Ginger :) This means alot to me, especially coming from one of my FAVE NetPros!
Take care,
Rob
09-24-2007 12:24 PM
Hello,
Thanks for the information it helped a lot. I am using the method Ginger suggested because I have three unity servers that I need them to administer. These boxes are all part of the same AD Domain. Now I have another problem, I can run the GrantUnityAccess from one of the servers, but on the other two I get the following error when I try to run the utility:
D:\CommServer>grantunityaccess -u SVMUNITY.IPT\DCMHelpdesk -s AbrahamBendayan
Failed getting subscriber's object ID from database.
Logfile generated: E:\CommServer\Logs\GrantUAccess_46f81c57.txt
-- Operation FAILED --
Here are the contents of that log file.
Mon Sep 24 15:21:43.65 Entering Initialize \ConnectorClientBase.cpp (line 48)
Mon Sep 24 15:21:44.471 Exiting Initialize \ConnectorClientBase.cpp (line 89)
Mon Sep 24 15:21:44.471 Entering GetSimpleFilter \ConnectorClientBase.cpp (line 412)
Mon Sep 24 15:21:44.487 Exiting GetSimpleFilter \ConnectorClientBase.cpp (line 428)
Mon Sep 24 15:21:44.487 Entering GetRowSet \ConnectorClientBase.cpp (line 105)
Mon Sep 24 15:21:44.487 Exiting GetRowSet \ConnectorClientBase.cpp (line 121)
Mon Sep 24 15:21:44.487 Entering GetOneRow \ConnectorClientBase.cpp (line 127)
Mon Sep 24 15:21:44.502 spRowset->Item(0) reports no more rows. Exiting function. \ConnectorClientBase.cpp (line 134)
Mon Sep 24 15:21:44.518 Failed getting rowset for subscriber AbrahamBendayan Exiting Function. 0x8004010f \GrantAccess.cpp (line 356)
09-24-2007 12:49 PM
Hi -
In the command syntax, the -s xxxxx must be a local subscriber on that Unity server. If AbrahamBendayan is a subscriber on another Unity server, this is why the command is not working. If that is the case, create a dummy subscriber on the Unity server and give it a dummy phone extension. Assign it to the correct COS. Then rerun the grantunityaccess and use that account for the -s xxxxx.
Ginger
09-24-2007 01:26 PM
Ginger,
Thanks for writing back. Duh, I was using the command in reverse. That worked great, thanks for the help, sorry for the reply, my brain is still off from the weekend!
AB
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: